Pool 615/bstier+phiggins/restart services on secrets change #1313
Conversation
| @@ -27,13 +29,43 @@ | |||
| "opscode-reporting" => ["rabbitmq_password", "sql_password", "sql_ro_password"], | |||
| } | |||
|
|
|||
| SERVICES_REQUIRING_RESTART = { | |||
There was a problem hiding this comment.
just had to try this, but your flat structure is more space-efficient:
SERVICES_REQUIRING_RESTART = {
bookshelf: {
access_key_id: ["opscode-erchef", "bookshelf"]
secret_access_key: ["opscode-erchef", "bookshelf"],
sql_password: ["bookshelf"],
},
'chef-server': {
superuser_key: ["opscode-reporting"],
webui_key: ["oc_id"],
webui_pub_key: ["opscode-erchef", "opscode-reporting"],
},
data_collector: {
token: ["opscode-erchef", "nginx"],
},
ldap: {
bind_password: ["opscode-erchef"],
},
manage: {
secret_key_base: ["chef-manage"],
secret_token: ["chef-manage"],
},
oc_bifrost: {
sql_password: ["oc_bifrost"],
superuser_id: ["opscode-erchef", "oc_bifrost", "opscode-chef-mover"],
},
oc_id: {
secret_key_base: ["oc_id"],
sql_password: ["oc_id"],
},
'opscode-reporting': {
rabbitmq_password: ["opscode-reporting"],
sql_password: ["opscode-reporting"],
},
opscode_erchef: {
sql_password: ["opscode-erchef", "opscode-chef-mover"],
},
'push-jobs-server': {
pushy_priv_key: ["opscode-push-jobs-server"],
pushy_pub_key: ["opscode-push-jobs-server"],
sql_password: ["opscode-push-jobs-server"],
},
rabbitmq: {
actions_password: ["opscode-erchef", "opscode-reporting"],
management_password: ["opscode-erchef", "rabbitmq"],
password: ["opscode-erchef", "opscode-expander", "rabbitmq"],
},
redis_lb: {
password: ["opscode-chef-mover", "nginx", "redis_lb"],
},
saml: {
client_id: ["chef-manage"],
client_secret: ["chef-manage"],
}
}
There was a problem hiding this comment.
We considered this but thought it was not worth the hassle vs what we ended up with.
| "push-jobs-server.pushy_pub_key" => ["opscode-push-jobs-server"], | ||
| "push-jobs-server.sql_password" => ["opscode-push-jobs-server"], | ||
| "rabbitmq.actions_password" => ["opscode-erchef", "opscode-reporting"], | ||
| "rabbitmq.management_password" => ["opscode-erchef", "rabbitmq"], |
There was a problem hiding this comment.
Can we remove rabbitmq here? That's actually another edge case ( 🤦♀️ , right?): restarting rabbitmq will not make these changes have any effect on the rabbitmq side, because it's the rabbitmq recipe that changes those passwords.
I don't believe we should account for that in any way, just remove it here. (Rationale: If you mess with your RMQ passwords, you better know what you're doing.)
There was a problem hiding this comment.
@srenatus We weren't sure if you meant we should remove this line altogether or if we should remove rabbitmq from the list of services to be restarted. We ended up doing the second one, so hopefully that's what you meant!
There was a problem hiding this comment.
👍 that's what I've meant, sorry for having been ambiguous.
| credentials.add(group, key, value: secret, frozen: true, force: true) | ||
| credentials.save | ||
| lookup = "#{group}.#{key}" | ||
| puts "#{lookup} changed." |
There was a problem hiding this comment.
We actually put that in there as intentional logging-- what do you think?
There was a problem hiding this comment.
Oh! 😁 Sorry. I think I'd rather remove it ;)
There was a problem hiding this comment.
Deleting seems fine to me :)
| lookup = "#{group}.#{key}" | ||
| puts "#{lookup} changed." | ||
|
|
||
| #TODO: do we need to guard against services being empty? (KNOWN_CREDS being out of sync w/ service list) |
There was a problem hiding this comment.
The connection betweenSERVICES_REQUIRING_RESTART and KNOWN_CREDS is that every key of SERVICES_REQUIRING_RESTART should be in KNOWN_CREDS; but you're right, there could be a reason for adding something to KNOWN_CREDS that doesn't have a service depend on it.
irb(main):001:0> Array(nil)
=> []
So, I think what you have there is 👍
| if service == "chef-manage" | ||
| Mixlib::ShellOut.new("chef-manage-ctl restart").run_command | ||
| else | ||
| run_sv_command_for_service("restart", service) |
There was a problem hiding this comment.
Given this, I believe you could also make this line restart(service)
There was a problem hiding this comment.
We're intentionally avoiding calling run_sv_service, since that calls exit! and this code potentially will be called more than once. https://github.com/chef/omnibus-ctl/blob/76347dd8e3281928e69e00cca87721d48b0e0e14/lib/omnibus-ctl.rb#L359
| @@ -0,0 +1,151 @@ | |||
| # | |||
| # Copyright 2016 Chef Software, Inc. | |||
There was a problem hiding this comment.
[nit] This file is new isn't it? Let's make this 2017 then
Hmm what do you think? I'm leaning towards yes, I think... (Feel free to spin this off into another card)
It would be nice to add a line to Also, I believe adding a short note here in chef-web-docs would be good. |
Signed-off-by: Blake Stier <bstier@chef.io> Signed-off-by: Pete Higgins <pete@peterhiggins.org>
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
Signed-off-by: Blake Stier <bstier@chef.io> Signed-off-by: Pete Higgins <phiggins@chef.io> Signed-off-by: Pete Higgins <pete@peterhiggins.org>
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
Signed-off-by: Blake Stier <bstier@chef.io> Signed-off-by: Pete Higgins <phiggins@chef.io> Signed-off-by: Pete Higgins <pete@peterhiggins.org>
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
phiggins
force-pushed
the
POOL-615/bstier+phiggins/restart-services-on-secrets-change
branch
from
12730e3
to
c5853ff
Compare
|
@blakestier @phiggins About "where do we document this?" we should add a section at: https://docs.chef.io/ctl_chef_server.html#set-secret |
|
Updated doc PR: chef/chef-web-docs#736 |
Signed-off-by: Blake Stier <bstier@chef.io>
| "saml.client_secret" => ["chef-manage"], | ||
| } | ||
|
|
||
| MANAGE_SVDIR = "/opt/chef-manage/sv/" |
There was a problem hiding this comment.
[nit] I wonder if it is a good idea to put this constant at the top of the file? 🤔
|
|
||
| def restart_manage_or_other_service(service) | ||
| if service == "chef-manage" | ||
| Mixlib::ShellOut.new("chef-manage-ctl restart", :env => { "SVDIR" => MANAGE_SVDIR }).run_command |
| end | ||
| end | ||
|
|
||
| #this is an unlikely scenario, but worth guarding against confusing messaging about restarting services that are not installed/enabled |
There was a problem hiding this comment.
Thank you for putting comments!! Though a few needs an space in front of #. Totally a nit!!! 😉
blakestier
force-pushed
the
POOL-615/bstier+phiggins/restart-services-on-secrets-change
branch
from
eb19e2e
to
6895b86
Compare
| context "when chef-manage depends on the changed secret but is not installed" do | ||
| before do | ||
| allow(veil_creds).to receive(:add).with("manage", "secret_key_base", {:value=>"new_key", :frozen=>true, :force=>true}) | ||
| allow(File).to receive(:exist?).with("/opt/chef-manage/sv/").and_return(false) |
There was a problem hiding this comment.
[nit] Should we make opt/chef-manage/sv also a constant/variable in the tests?
|
BTW, We might want to run an ad_hoc build to test this in the pipeline. |
Signed-off-by: Blake Stier <bstier@chef.io> Specs were breaking with Rspec not found error without this update
blakestier
force-pushed
the
POOL-615/bstier+phiggins/restart-services-on-secrets-change
branch
from
6895b86
to
cca2972
Compare
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
phiggins
force-pushed
the
POOL-615/bstier+phiggins/restart-services-on-secrets-change
branch
from
2a86dc0
to
f3d40b2
Compare
What raises the question if anything in the pipeline uses |
phiggins
deleted the
POOL-615/bstier+phiggins/restart-services-on-secrets-change
branch
chef-server-ctl set-secret --with-restartrestarts all enabled services dependent on changed secret.chef-server-ctl set-secretadvises restart of all enabled services dependent on changed secret.Secrets can also be changed without the
chef-server-ctl set-secretcommand, but that path is not addressed here. POOL-647 opened.Questions:
This PR does not handle the
remove-secretctl command, either. Should it?Where should we document this change?